Identity: JWT Bearer Authentication : Set-Cookie in header response filled

Created on 11 Sep 2017  路  5Comments  路  Source: aspnet/Identity

Hello,

I don't understand why i have a cookie filled in my response header while i use JWT Bearer Authentication. And i can't find way how to configure correctly.

When I authenticate on my webAPI, in my reponse i have :
Set-Cookie: .AspNetCore.Identity.Application=CfDJ8KKk9DCF-3ZMv5e0QMpwpsulx6nT_6d68JTe0a8VPBM ...; path=/; samesite=lax; httponly api-supported-versions: 1

My startup look like this :

Configure :

app.UseAuthentication();
app.UseMvc();

ConfigureServices :

           services.Configure<IdentityOptions>(options =>
            {
                // Password settings
                options.Password.RequireDigit = true;
                options.Password.RequiredLength = 16;
                options.Password.RequireNonAlphanumeric = true;
                options.Password.RequireUppercase = true;
                options.Password.RequireLowercase = true;

                // User settings
                options.User.RequireUniqueEmail = true;
            });

            // Add framework services.
            services.AddEntityFrameworkNpgsql()
                .AddDbContext<ApplicationDbContext>(options => options.UseNpgsql(Configuration.GetConnectionString("ConnectionString")));

            services.AddIdentity<ApplicationUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

            services.AddAuthentication(options =>
                {
                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
            .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new AuthenticationConfiguration(Configuration).JwtTokenValidationParameters;
                    options.SaveToken = true;
                });

And for authenticate i use :

var result = await _signInManager.PasswordSignInAsync(username, password, false, lockoutOnFailure: false);

Is there a way to have no cookie in my response header ?

Thx

duplicate

Most helpful comment

@jcmordan
You can achieve it like this:

```C#
var user = await _userManager.FindByNameAsync(userName);
if (user == null)
{
return BadRequest("Invalid credentials");
}

var result = await _signInManager.CheckPasswordSignInAsync(user, password, true);
if (!result.Succeeded)
{
return BadRequest("Invalid credentials");
}

// Create token with user claims..
```

All 5 comments

See https://github.com/aspnet/Identity/issues/1376
With JWT you will have to manage the authentication yourself.

Yep, dupe of #1376

@hey-red @HaoK What do you mean by:

With JWT you will have to manage the authentication yourself.

I can't use _signInManager.PasswordSignInAsync anymore? what is the alternative?

@jcmordan
You can achieve it like this:

```C#
var user = await _userManager.FindByNameAsync(userName);
if (user == null)
{
return BadRequest("Invalid credentials");
}

var result = await _signInManager.CheckPasswordSignInAsync(user, password, true);
if (!result.Succeeded)
{
return BadRequest("Invalid credentials");
}

// Create token with user claims..
```

@hey-red Thx, using CheckPasswordSignInAsync solved my problem.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

anester picture anester  路  9Comments

hikalkan picture hikalkan  路  6Comments

VR-Architect picture VR-Architect  路  6Comments

Vaylandt picture Vaylandt  路  9Comments

danroth27 picture danroth27  路  4Comments